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ABSTRACT 

Internet became a vital part of our life so from a small to big company has set up their own network. Thus, to prevent the 
company's network security breached and private information might leak out it is important to implement good network 
security. The current limitation of IPS only relies on the global signature to determine packet. A mix mode method will be used 
to collect primary data via survey and interview. The sample size selection criteria for the questionnaire is Private University 
Students, lecture and industry experts who have networking knowledge. Furthermore, the simulation test will be done using 
virtualization to simulate the network environment to implement the self-updated IPS to protect the server. This helps to 
validate the workability of the proposed. Last with the implementation of the security measure of a network that able to help 
the user to gain the trust towards the digital society. 
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1. INTRODUCTION ON THE IMPORTANCE OF 
NETWORK SECURITY FOR KDU University College 

University student becoming the target of cyber-attack rate is 
increasingly high rate because university student spends 
more time on the Internet. [1] Furthermore, recently there is a 
largest lTbps DDoS attacked happened attacker use a lot of 
smart devices included IoT devices to launch a huge DDoS 
attacked.[2] Moreover, nowadays cloud computing is so 
popular, there is so many companies subscribe to cloud 
storage and services but even these cloud hosting company 
also have the risk that gets a DDoS attack.[3] From cases 
above able to know that DDoS will make a company have a 
big loss in financial and it is difficult to avoid. In a 
questionnaire conducted by Association of Governing Boards 
of Universities and Colleges and United Educators found that 
there are more universities increasingly engage in cyber 
risk.[4] KDU University College is a medium-size company 
that main business is education. They had set up their own 
network and servers. Thus, there are a chances that KDU 
University College became a target and get attack by a hacker. 
Normally hacker will not attack things that are not beneficial 
to them. So once the attack succeeds private information may 
leak out, the system may break down and the victim will have 
loss of trust, KDU University College may have Image and 
reputation damage, and business may not able to continue for 
some period due to the breakdown of the system. Thus, KDU 
University College needs some security to prevent these 
unpredictable attack. Psad is an intrusion detection software 
that contains 3 lightweight daemons and it also able to 
perform log analysis. Besides that's, iptables is an application 
work with a Linux firewall and allow the system 
administrator to configure the tables, chain, and rules that are 
stored. Currently, iptables is able to support ipv4 and ipv6. In 
this research will using Psad and iptables provide an 
emergency temporary solution to protect servers from 
unpredictable attacks. 

IPS is a technology security to secure all hosts from attack. 
The job for IPS is to examine network traffic flows to scan and 
to prevent vulnerability exploits by an attacker. So suppose a 


network had set up an IPS and the network should be secured 
and any attack may not able to attack the network. However, 
it is not working like that in reality and this is the major 
problem statement. In a network, that setup IPS but still has 
chances that get an attack. For example, a DDoS attack is one 
type of attack that not sending malicious packet but it still 
able to attack servers. Since IPS are working like first need to 
scan packets and if that packet is malicious then drop it and if 
the packets are not malicious then let it go into the network. 
Therefore, IPS will keep allowing those packets that are not 
malicious but keep repeating come in so when the server not 
able to sustain the traffic it will break down. In the response 
to this problem, our study proposed identifying what are the 
ways able to reduce the chances that important host get an 
attack. Furthermore, this project will also look into which is 
the most effective way to mitigate the problem stated above. 

The research aims to deliver the following objectives as 
shown below. 

RO1: To improve the efficiency of security by implementing 
a IPS to learn the actual attack methods that are 
actually happening on site of in the KDU network 
R02: To trim down the administrative burden of KDU 
network to the network administrator. 

R03: To mitigate the possible financial implication from the 
effect of the intrusion 

Currently, most of the IPS detect threat is based on the global 
signature. Thus, if there is an attack the signature is not 
Inside database of the IPS signature to KDU University 
College server. IPS not able to detect it and the attack will 
successfully attack the server. To having a IPS that could 
learn the real attack able to prevent this case happen. 

To monitor a whole network is an important job for the 
network administrator. Once the network had anything 
happens network administrator have to solve it as fast as 
possible. It is because any problem in the network may affect 
the whole business not able to run normally. However, 
normally a medium size enterprise IT department does not 
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have that many staff so the IT staff in medium size company 
may need to monitor the network also need to handle desk 
inquiry and some technical support. Hence, trim down the 
administrative burden of network IT staff able to spend the 
time work on another task. 

Normally a hacker will not attack a target for fun, normally 
they have attacked for something for example money, 
information, or other valuable things that will benefit the 
attacker. Attacker benefits something from attack the target 
will lose something. Therefore, by reducing the chance and 
risk that KDU University have a huge loss from the effect of 
attack security of the network is a key to protecting the asset 
of KDU University College. 

This paper aims to answer the above research objective via 
the research question as shown below: - 
RQ1: How to improve the efficiency of security for KDU 
server? 

RQ2: How to automate the detection to allow network 
administrators to have more time to focus on another 
task? 

RQ3: How to reduce negative financial impact from the 
effect of intrusion? 

2. LITERATURE REVIEW 
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Figure 1: Conventional Topology 

Figure 1 shown current topology that implemented IPS in the 
network. There are only 2 categories of IPS which is network 
based and host based.[5] In this project, the implementation 
will focus on host-based IPS. The normal IPS is download 
signature from the internet and scan the packets that coming 
in and out. Once the packet has the code that matches with 
IPS signature it will block it to coming in or going out. 
However, not all attack is recorded in the signature. Some 
attack like ping it looks harmless but if there is a machine 
keep ping the server the server may not able to sustain with 
the traffic it may cause server down. Thus, since KDU 
University College have their own private network and 
servers, therefore may have a chance to get an attack. 

In a work published by JosephNg PS & Kang CM (2016) stated 
that" This ITconomic paradox has been long debated over its 
tangible and intangible contributions , yet information 
technology continues to be a major user of costly capital 
expenditure and laggard operating expenses in today's 
electronic economy ” [6] From the statement above know that 
nowadays information technology system is widely used in 
any sector. There are a lot of business able to grow bigger is 
because technology helped them to centralized data makes 
things manageable. 

To choose an IPS first need to know which area want IPS to 
protect. For network-based IPS is monitor a part of network 


devices or segments. Network-based IPS will detect and block 
any suspicious activity that happened in the area that IPS 
protected. [7]. Besides that, wireless IPS is like network-based 
IPS but it only monitors the wireless network to identify any 
suspicious activities involved in a wireless network. 
However, wireless IPS is not able to identify suspicious 
activity in applications or higher level of protocols. Moreover, 
THE next type of IPS is network behaviour analysis this kind 
of IPS will observe network traffic to detect threats that 
produce abnormal traffic flow like DDoS attack and also able 
to detect certain malware like backdoors and worms. 
Normally this kind of IPS is set up to monitor internal 
network flow. Last is host-based IPS this kind of IPS only 
monitors a single host to identify this machine have any 
suspicious activity. This type of IPS able to detect suspicious 
activity from application and network. Host-based IPS are the 
last line of defence of a server. Normally this kind of IPS only 
set up in a critical host. In this project the IPS will use for KDU 
University College is a host-based IPS. There are an open 
source host-based IPS called PSAD + Iptables. It is very 
popular and it is well documented for Linux. 

PSAD is an IDS that able to identify attacker IP from Log. 
Since it is an IDS so it does not provide any action that able to 
prevent the attack. However, Psad is able to integrate with 
Iptables. Iptables is a Linux firewall, it only knows to allow or 
block. Since Psad able to identify and Iptables able to do 
action so Psad and iptables work together it works same as 
IPS. If there is an attacker trying to attack server but the 
attacker wants to do an active recon attack to the server so 
the attacker use port scanning software to scan the server to 
obtain information of the server to do the next step like, try to 
obtain what service and version of software is using to do the 
next level of attack. So in this situation if the server is 
installed Psad IPS it will block the attacker IP do not allow the 
connection of attacker to the server since Psad IPS know that 
this IP is malicious. Thus, the attacker not able to perform the 
next attack and the server is safe on that night. 


In this section will discuss research methodology that will be 
used in this project. Furthermore, this topic also will talk 
about what technique will be used for data collection and the 
reason for choosing it. For this project, a mixed methods 
design is chosen. Thus, quantitative and qualitative research 
method is used in this project. There are three methods 
chosen for research which is a questionnaire, interview, and 
experiment. In 2016 Professor Janice Morse stated 

"A mixed method design, if conducted with deliberate care, is 
a stronger design than one that uses the single method 
because the supplemental component enhances the validity 
of the project by enriching or expanding our understanding 
or by verifying our results from another perspective." 

The data is to be collected via the following 

methodology as summarized in 

Table below. 


Table 1: Research Methodology [6], [8]-[13] 


Research 

Dimension 

Explanatory Sequential 
Design 

Research 

Methodology 

Quantitative Generalization 
Qualitative Reasoning 

Data Collection 

Online Survey 


3. METHODOLOGY 
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Figure 2 : Sequential Design [6], [8]-[ll],[13] 


The figure above is the sequential design methodology 
diagram for this project [6], [8]- [11], [13]. Since this project 
is using mixed methods, so both the quantitative and 
qualitative technique will be used in this project for data 
collection. Furthermore, Professor Janice Morse in the year 
(1991) also stated "A sequential explanatory design is 
typically used to explain and interpret quantitative results 
by collecting and analyzing follow-up qualitative data. It can 
be especially useful when unexpected results arise from a 
quantitative study".[14] Moreover, from the figure above 
able to see that before anything starts the first step of 
research is to generalize exploratory analysis. Basically, is 
doing data collection by using quantitative data collection 
technique and from the result simplify the whole idea of 
research. Next, after generalized exploratory analysis need 
to detect outliers and anomalies from the resulting follow-up 
with reasoning. After that, qualitative data collection needs 
to be conducted. The reason to conduct qualitative data 
collection is to do the in-depth explanatory analysis for 
reasoning the previous result from quantitative. Therefore, 
characteristics interpretation is done by using the depth- 
explanatory analysis. Next, after collecting data and analyzed 
it need to do experimental validation. Experimental 
validation is to validate data that collected previously by 
experiment. From experiment able to know data that 
collected previously is true or false. So after experiment then 
able to get the result from the experiment and make a 
conclusion to know is the idea able to work or not. 



Figure 3: Network Topology 


The testing will be conducted via a virtual machine. In the 
testing environment will be set up 2 attackers, 1 IPS that 
installed on the server machine. All machine will connect 
with each other as the figure below except the cloud symbol 
that is for explaining the purpose. The first thing wants to 
test is all of them is connected with each other so use ping to 


test the connectivity. Furthermore, the different between 
Psad IPS and normal IPS is it will revise log to block the 
localized attack. From the figure below able to see that there 
are two categories of machine connect to a server which is 
attacker and staff. The IPS that in the middle of the diagram 
is actually a software that installed on the server. IPS able to 
download global signature and revise their own log so 
anyone want to connect to server IPS will check is there any 
pattern that matches global signature and their own log if 
not then the IPS will allow it go into the server. 

Which security instrument you think all 
company/University should install ? 

30 



IPS IDS Firewall Antivirus 


Figure 3: Corporate Security System Trend 

In figure 3 this question is asking respondent what are the 
security system should install in a company or university 
environment. From the respond of this question know that 
IPS get the most voted which 67% of respondent voted IPS 
and follow with firewall get 61%, 51% of respondent voted 
IDS and 48% of respondents voted Antivirus and there is an 
others selection no respondent vote it. Furthermore, from 
this result also able to know that people have the trust with 
IPS so implement IPS into the network it not only will help to 
secure the network also able to build the trust of the 
network security with the user. 

Dur ing non-working hour (e.g. 10 pm to 6 am) is 
there any network administrator to monitor the 
network ? 



■ Yes ■ No 

Figure 4: Administrator Burden of Network 

In figure 4 question is during non-working hour any network 
administrator monitors the network? The majority of the 
respondent choose no it is up to 74%. From this question, we 
are able to know that most of the company do not have a 
network administrator on duty after working hour. 
However, there are 26% of respondents chose during 
nonworking hours also have network administrator to 
monitor the network. It means that some company network 
is very critical to their business. Furthermore, the 74% of 
respondents do not have anyone to monitor the network 
during the non-working hours. It means that in this period 
network security is rely on the security system. In this time 
is easier for an attacker to launch an attack since there is no 
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one to stop the attack if the attacker launches a localized 
attack in this time will easily attack the main server. 

4. RESULTS AND FINDINGS 

Port Scanning attack 

r root@kali: - © © © 

_ FUe Edit View Search Terminal Help _ 


:-A ping 192.168.80.10 

PING 192.168.80.10 <192.168.89.10) 56(84) bytes of data. 

64 bytes from 192.168.80.10: icmp seq=l ttl=64 tlme=0.587 ms 

64 bytes from 192.168.80.19: icmp seq=2 ttl=64 time^0.567 ms 

64 bytes from 192.168.80.10: icmp seq=3 ttl=64 time=0.581 ms 

64 bytes from 192.168.80.10: icmp_seq=4 ttl=64 time=0.503 ms 

64 bytes from 192.168.80.10: icmp seq=5 ttl=64 time=0.876 ms 

A C 

• 192.168.80.10 ping statistics 

5 packets transmitted, 5 received, 0% packet loss, time 3999ms 
rtt min/avg/max/mdev = 0.503/0.622/0.876/0.133 ms 

| 


Figure 5: Pretest 


Figure 7 shows that the attacker machine is unable to ping 
the server after the attack. It proved that the IPS blocks the 
connection from attacker IP automatically. The attacker had 
sent 9 pings and the server did not give any response to the 
attacker so there show 9 packets are sent and 100% packet 
loss. 

DOS attack 



Figure 8: Pretest 


In figure 5 able to see that attacker machine before the 
attack, the server the connection between attacker and 
server is up. 


root@kall: - Q © © 

Ftte Edit View Search Terminal Help _ 


ping 192.168.80.10 

PING 192.168.80.10 (192.168.80.10) 56(84) bytes of data. 

64 bytes from 192.168.80.10: icmp seq=l ttl=64 time=0.587 ms 

64 bytes from 192.168.80.10: icmp seq=2 ttl=64 time=0.567 ms 

64 bytes from 192.168.80.19: icmp seq=3 ttl=64 time=0.581 ms 

64 bytes from 192.168.80.10: icmp seq=4 ttl=64 time=9.503 ms 

64 bytes from 192.168.80.10: icmp seq=5 ttl=64 time=0.876 ms 

■ A C 

--- 192.168.80.10 ping statistics --- 

5 packets transmitted, 5 received, 0% packet loss, time 3999ms 
rtt min/avg/max/mdev = 0.503/0.622/0.876/0.133 ms 
:-# nmap 192.168.80.10 

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-0819 10:48 EOT 
Nmap scan report for 192.168.80.10 
9 Host is up (0.00050s latency). 

Not shown: 999 closed ports 
PORT STATE SERVICE 
80/tcp open http 

MAC Address: 00:0C:29:B2:A6:4F (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds 


Figure 6: Port Scan Attack 


From figure 6 able to see that the attacker successfully port 
scan the server. From the content of the terminal able to see 
that the server port 80 is open and another 999 port is 
closed. 


Figure 8 shows that the attacker Pc is successfully pinged the 
server before the attack. It means that the connection from 
an attacker with the server is up. 



Attack l-i IV In rim#-; 7 jiM 


' :>-r-rcr) 


Attacker? 



64 bytes from 192.168 8© 1®- Icmp soq=4 tt1=64 tlnc=Q.503 ms 
64 bytes from 192.168.80.16: icmp seq=5 ttl=64 tine=G,876 ms 
A C 

192.168.80.10 ping statistics 

5 packets transmitted, 5 received, 0% packet loss, time 3999ns 
rtt mln/nvg/max/ndev - 0.503/0.622/0.876/8.133 ms 
:-# nmap 192.168.80.10 

Storting Nmap 7.25BETA2 ( https://nnop.org > at 2017-08-19 10:48 EDT 
Nmap scan report for 192.168.60.16 
Host is up (0.00050s latency). 

Not shown: 999 closed ports 
PORT STATE SERVICE 
86/tcp open http 

KAC Address: 0G:QC:29:B2:A6:4F IVMwore) 

Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds 
: * ping 192.168.80.10 

PING 192.168.80.10 (192.168.80.10) 56(84) bytes Of data. 

A C 

--- 192.168.80.18 ping statistics --- 

9 packets transmitted^ 0 received, 100\ packet loss, time 7999tis 


Figure 7: Post Attack Testing 



Figure 9: DOS Attack 


In figure 9 showed the Windows attacker start attack with 
LOIC software. This is an open source stress testing software 
for the server by launching Dos attack to the server. From 
the figure above shows that attacker is Lock on the server IP 
and chose port 80 and HTTP types of packets sent to the 
server. 
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Microsoft Uindous [Uersion 6.1.7601] 

Copyright <c> 2009 Microsoft Corporation, fill rights reserved. 


C:\Uindous\systen32>ping 192.168.80.10 

Pinging 192.168.80.10 uith 32 bytes of data: 

Request timed out. 

Request timed out. 

Request timed out. 

Request timed out. 

Ping statistics for 192.168.80.10: 

Packets: Sent = 4, Received = 0, Lost = 4 ClQQy. loss}, 

C:\Uindows\system32>_ 


Figure 10: Post Test 

Figure 10 is using attacker to ping server after the Dos 
attack. From this screenshot able to see that the attacker is 


failed to ping the server. The result from attacker to ping 
server after the attack it shown request timeout. 


Pin g of Death __ 

r root®kali: * O 0 O 

File Edit View Search Terminal Help 


' I**'; • MtwfcrrJ r“15rt)rt 



Figure 13: Post Test 


ping 192.168.80.10 

PING 192.168.80.10 (192.168.80.10) 56(84) bytes of data. 

64 bytes from 192.168.80.10: icmp seq=l tt1=64 time=l.ll ms 

64 bytes from 192.168.80.10: icmp seq=2 tt1=64 time=0.661 ms 

64 bytes from 192.168.80.10: icmp seq=3 ttl=64 time=0.728 ms 

64 bytes from 192.168.80.10: icmp seq=4 ttl=64 time=0.381 ms 

A C 

--- 192.168.80.10 ping statistics --- 

4 packets transmitted, 4 received, 0% packet loss, time 3002ms 
rtt min/avg/max/mdev = 0.381/0.720/1.112/0.262 ms 
: -# | 


Figure 11: Pretest 


The figure 11 is the attacker pc try to ping the server and 
from the screenshot able to see that the ping from attacker 
to the server before the attack is successful. 



Figure 12: Launch Ping of Death 

Figure 12 shows the attacker use the Ping of Death method 
from attacker to server. This is an attack keep on sending a 
ping packet to the server. The command for this attack 
shown below. 

Command: ping -I 0 (server ip) 

Example: ping -I 0 192.168.80.10 


From figure 13 show that the attacker no longer able to ping 
server after the attack. This also shown that the experiment 
for this attack also successful. From above shown 3 types of 
attacks to servers. These 3 types of attacks experiment are 
not only 1 to 1 machine testing. For all 3 experiments also 
included another 1 machine act as company staff to test the 
connection to prevent the IPS will block all the connection 
including local staff connection. 

5. Limitation 

The limitation for this project is not enough memory 
resources to perform the DOS attack due to some attack need 
high memory consumption. So may have some delay error 
during the experiment. Furthermore, due to the time 
limitation of this project only 31 respondents for the 
questionnaire and only 3 attacks is tested. 
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